Bug 31081 – postgres user blocked: breaks automatic maintenance

Bug 31081 - postgres user blocked: breaks automatic maintenance


Summary:	postgres user blocked: breaks automatic maintenance

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	PostgreSQL
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-2-errata
Assigned To:	Jürn Brodersen
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-04-17 16:47 CEST by Philipp Hahn
Modified:	2018-11-28 12:10 CET (History)
CC List:	1 user (show)

See Also:	47276
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Troubleshooting, Usability
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2013-04-17 16:47:51 CEST

/etc/postgres/8.4/main/pg_hba.conf is created from the multifile UCR templates 00-pg_hba.conf and 99-pg_hba.conf, where packages can insert their additions.

The split of the header and footer is wrong, since 99 starts with:

# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database
# super user can access the database using some other method.
# Noninteractive
# access to all databases is required during automatic maintenance
# (custom daily cronjobs, replication, and similar tasks).
#
# Database administrative login by UNIX sockets
local   all         postgres                          ident

This must be before all further entries, because otherwise the postgres UNIX user is blocked from accessing all databases for maintenance tasks.
It should be moved from 99-pg_hba.conf to 00-pg_hba.conf to guarantee proper working.

The order of the entries is important (see Bug #16254), so any addition before that entry might disable access. This is for example done by repo-ng, which inserts
  local buildsystem all pam
This prevents the postgres user to connect to that database, breaking backups for example.


On a second note: /etc/univention/templates/files/etc/cron.d/postgresql can be removed, since PostgreSQL-8.4 does an auto vacuum. The referenced file /usr/lib/postgresql/bin/do.maintenance is no longer installed, so the cron-job does nothing.

Comment 1 Philipp Hahn

2017-03-08 16:00:05 CET

Still wrong with UCS-4.2

Comment 2 Jürn Brodersen

2018-11-27 10:09:29 CET

[4.3-2 69fc50f91e] Bug #31081: Ensure postgres user is at the top of pg_hba.conf
[4.3-2 f3ebb62273] Bug #31081: YAML

Package: univention-postgresql
Version: 10.0.1-4A~4.3.0.201811271006
Branch: ucs_4.3-0
Scope: errata4.3-2

Comment 3 Philipp Hahn

2018-11-27 13:09:45 CET

OK: 69fc50f91e
OK: f3ebb62273
OK: errata-announce -V --only univention-postgresql.yaml
FIXED: 51b8627bc1
+ * The rule for the PostgreSQL superuser has been moved to the beginning
+   of `pg_hba.conf` to always grant access to that internal user. This is
+   required for automatic maintenance and similar tasks.
+bug: [..., 31081]
OK: univention-install univention-postgresql{,-9.6}=10.0.1-4A~4.3.0.201811271006
OK: su -c psql postgres

Comment 4 Arvid Requate

2018-11-28 12:10:42 CET

<http://errata.software-univention.de/ucs/4.3/341.html>